Could We Eliminate Spam With DMARC? (zdnet.com) 124
An anonymous reader writes:
"The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Re: Compatible? Nyet! (Score:2)
And then you're blocking pretty much any corporate user of O365 or any number of Microsoft "server" product users or anyone using built-by-stupid products like MailChimp, or similar "cloudy" "service as a service" providers you see advertised.
DMARC has been around for pretty much 2 decades, if it hasn't been picked up now, it never will.
Re: (Score:2, Redundant)
DMARC has been around for pretty much 2 decades, if it hasn't been picked up now, it never will.
I had been around for pretty much 2 decades before I got picked up. Got married a few years later.
Re: Compatible? Nyet! (Score:5, Insightful)
And then you're blocking pretty much any corporate user of O365 or any number of Microsoft "server" product users
Still failing to see the downside here...
Re: (Score:1)
I fucking hate mailchimp. I have never in my life signed up for that spam but their idiot customers keep putting me on lists. Mailchimp is spam pure and simple.
Re: (Score:2)
You can configure DMARC to ignore SPF, mitigating the problem with unpredictable IP's on some cloud providers and O365 (and most other bit email hosting providers) support DKIM just fine.
DMARC hasn't been picked up because most email recipients don't handle it at all, making it a low benefit for a relatively high risk of misconfiguring, confounded by the almost total lack of recipients actually sending RUA/RUF reports (only ever gotten them from Gmail) you need to configure DMARC confidently enough.
Re: (Score:3)
Re: (Score:2)
Works only of you don't have any kind of automated provisioning; DNS doesn't propagate fast enough to compensate.
Also; SPF is limited to a set limit (10 if remember correctly) of entries which can either mess up your entire SPF when SPF is changed down the line or simply because you have too many IP ranges in your network.
Re: (Score:3)
I just checked my DMARC inbox, Yahoo and Microsoft are sending DMARC reports so that's the big three email providers plus a bunch of smaller providers.
DMARC is definitely being adopted.
Nonsense (Score:1, Insightful)
Re:Nonsense (Score:5, Informative)
I have both DMARC and SPF installed and configured correctly... I still get spam! ...
DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.
.
And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.
All the spammer has to do is also set up SPF and DMARC.
With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point
Re: Nonsense (Score:1)
Only if the spammer doesn't use the same server/service as your sender or hasn't set up DMARC/SPF themselves. E-mail was built to be decentralized and robust, there are two problems with the current approaches:
DMARC/SPF - pretty much any anti-spam - relies on the cooperation of both senders and/or receivers and making things less robust so you can "break" the robustness for bad people and keep it in tact for good people. You require the cooperation of a significant number of people to keep sort of trust up
Re: (Score:2)
Re: (Score:2)
And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.
DMARC isn't really a spam filtering system (nor are its components SPF and DKIM), just an "is this email from foo@bar.com actually from bar.com". If I'm getting spam from ilovespam.com it's not going to do much good.
Re: (Score:2)
In theory, it's a lot easier to sue ilovespam.com and get it shut down and that should eventually result in less spam.
Re: (Score:2)
Apart from the fact that spammers are increasingly using legitimate email services for spam (which means, regardless of DMARC and SPF, means you're right back to Bayesian filters), the fundamental problem with DMARC, SPF or any other kind of email "authentication" system is that it fundamentally constitutes a chicken-and-egg problem. Without widescale adoption, you can't really use these techniques as a binary deliver/drop test, but so long as you can't filter email on the presence of an SPF or DMARC header
Re: (Score:2)
DMARC can only ever block fake mail pretending to be sent from legit domain names.
It's mostly to prevent phishing, not spam.
Re: (Score:2, Interesting)
My what a rose-colored world you live in.
Our domain receives about 1,500 mails per day that pass SPF validation. There's a cartel of spammers that are registering throw-away domains with SPF records that include their zombie senders' IP addresses. Thankfully we have other techniques to filter out those 1,500 messages with around 0.5% false positives. Since spammers have full control over their zombie network I
Re: (Score:1)
Google seems to make this work. I didn't used to have SPF and such set up. I tried to send a friend an e-mail. It went directly to his spam folder. I checked it out with my own google account, same thing. It had a little message why. So I put the whole framework in and google will happily take my e-mail.
Still like to see these people go to jail. It's a business. Organized crime. They have campaigns. Ransomware, Spam, Phishing, Malware, etc.
Re:Nonsense (it's a vexed problem) (Score:3)
Spam has economic, legal, technical and psycological causes. That suggests that if you try and treat it as a technical problemalone, you're going to wonder why it isn't fixed already.
I live in Canada, where spammers get fined, over the loud objections of the sleasy side of the business community, and it's having an effect in tle legal and pyscological domains. This summer, the law will also allow suing spammers, which takes it into the ecomomic dimain as well.
If this, along with technical solutions like spa
Re: (Score:1)
Spam has economic, legal, technical and psychological causes.
Apparently, so does Twitter ... :-)
Re: (Score:2)
Where I come from, "twit" is by no means a compliment (;-))
Re: (Score:2)
Has the 'twit'/'twat' debate finally been settled?
Re: (Score:3)
The next step is then obvious, fine those companies that pay for that spam as well. Catch a spammer, go through his spam history and fine those companies that paid them.
Re: (Score:2)
... Catch a spammer, go through his spam history and fine those companies that paid them.
Follows naturally from opening it up to lawsuits: "if you were paid to do this, testify against the payer and we'll let you off easy".
Thanks, that's a good arguement for opening it up ti suits.
Yes we can, but we won't (Score:2)
Human caused problems generally are easy to solve but are not because established interests prevent them.
Email spam is entirely due to the total absence of sender verification. Require some form of sender verification with the ability to complain (and block those with excessive complaints) and you solve the issue.
Re:Yes we can, but we won't (Score:4, Insightful)
Re: (Score:2)
What if someone gets control over your computer, and sends out spam using your credentials ?
Re: (Score:2)
First you have to fix it. If you don't, then you don't deserve to send out email. Because right now, many criminals take over computers and use them to send out spam and the computer's owner does not fix it.
Second, you have to drop that email account and use another one. Not that hard, they are free from gmail, prrotonmail, outlook, yahoo etc. If your entire email server is pawned, then you have to change the domain. Consider it the appropriate punishment for failing to maintain proper security - it's
"Could We Eliminate Spam With DMARC?" (Score:5, Interesting)
"No."
See, that was easy! Technological solution to a sociological problem, and so on.
Re: (Score:2)
If DMARC were mandatory for all email, we'd still see plenty of spam. All snowshoe spam, for example, uses DMARC in order to look like a legitimate marketer and get the free passes that ... no anti-spam system awards.
All DMARC does is prevent spoofing of the From header's domain. You can still set up your own "marketing" domain and spew spam. You can still register bankofamerica-customersupport.com or create an account for "bank0famerca@yahoo.com" or hack into "anonymous_coward@gmail.com" and change th
Barracuda (Score:5, Interesting)
On another note, if you send a ~45 MB attachment to the device, apparently it clogs up and refuses to deliver. Other mail will go through without problems, but you have to call their tech support to 'force' it through.
Barracuda is a terrible, over-priced, barely-functional product.
Re: (Score:2)
I thought it was just a repackaged derivative of SpamAssassin.
Re:Barracuda (Score:4, Interesting)
I thought it was just a repackaged derivative of SpamAssassin.
Yeah, that's basically it in a nutshell.
Nothing you can't rapidly duplicate with a Debian install and a few salt or puppet scripts. I tested it against the previous Haraka install with spamassassin, dspam, clamav, and their 'karma' plugin, and the accuracy of the Barracuda sucked in comparison.
Re: Barracuda (Score:3)
It is but the configuration isn't directly editable and seems to be both made by and targeted towards the clueless end user. (TiVo-ization)
Re: (Score:3)
The email microtax idea (a 0.001 USD per email, except within an organization) was floated 15 years ago, and still seems to be a pretty decent idea. That won't "eliminate" anything bad, but it might help mitigate the problem.
Completely unenforceable. SMTP works with end-to-end encryption now, so there's no way of knowing how many e-mails were sent and received from listening to traffic. Unless you put a government snooping e-mail server in every home and business and make it a felony to route around them. I don't want to live in that society.
Re: And perpetual motion machines are coming too (Score:2)
Also a legal problem. What do you tax? An SMTP transaction? If i send you an message over Facebook does it count? Twitter? Whatsapp? An SMS?
What happens if I slightly modify the protocol? Is that still a taxable Email? Run SMTP over NetBIOS? Add some extension? Use another port? Where is the line?
It is impossible to precisely define the thing you intend to tax here.
Re: (Score:2)
A large non-profit internet forum site could easily generate tens of thousands of user-requested thread update emails per day. Even at 0.001 each they could end up spending $100 a year on that. Meanwhile, spammers would likely find it pays off to spend $100 per year for tens of millions of emails.
Clueless idiot (Score:5, Informative)
Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.
There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.
As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...
More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.
SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?
Re: (Score:2)
As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...
I first thought that was some sort of progress bar and thought, "Cool. How'd he do *that* on /." but, sadly, there's no "I" in progress bar.
Your post advocates a... (Score:5, Insightful)
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re:Your post advocates a... (Score:5, Informative)
Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.
It boils down to this. If you want your MTA to function as a general open email transport system, you cannot kill messages based upon whether they pass or fail solutions like DMARC. There's some logic to weighting failures of SPF checks and the like to make it more likely that a failed message will be rejected, but to actual use SPF and its kin as a sort of yes/no logic gate would lead to an unbelievable number of false positives, and I question the legitimacy of anyone claiming to be some sort of cybersecurity expert who claims such solutions are the be-all and end-all.
Re: (Score:3)
Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.
It was already old on Usenet before it reached Slashdot.
Re: (Score:2)
Yeah! Its been so long, I'm glad this story came along.
Re: (Score:2)
HealthCare.gov (Score:2)
Don't want spam? Don't have an e-mail account. It is 100% possible in 2017.
I don't see how, at least for residents of Slashdot's home country. The U.S. federal health care marketplace (HealthCare.gov) requires each user to confirm ability to receive e-mail at a unique address.
Five-dollar wrench solution (Score:1)
OR!
Every time you positively IDs someone running a big spam operation, raid their residence and shoot them in both kneecaps.
After it happens four or five times the rest of the spammers will probably find another hobby.
Re: Five-dollar wrench solution (Score:2)
Spam is profitable enough to bear that risk. Even if your kneecaps get a bullet in them, you still get a nice mansion to live in.
Re: (Score:2)
I'm pleased to say we're doing this in Soviet Canuckistan. We're only fining them, though (;-))
Re: (Score:2)
Meh.
I'm going to check the last box in the "philosophical objections" section of the old "your anti spam method won't work" form that someone posted upthread.
I think that's bolocks! (Score:4, Interesting)
Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.
Re: (Score:2)
Exactly this. Google seems to do a decent job of keeping spam out of my inbox.
You're arguing against a decentralized Internet because one example of a highly centralized Internet service has a competitive advantage, probably because there's no successful anti-spam cooperation protocol.
DCC/Razor/Pyzor do help, but somehow Google's spent a decade improving their detection AI and the open solutions have stalled. Our community seems to not chase diminishing returns, even when the 20% is ultimately more valuabl
Re: I think that's bolocks! (Score:2)
The open solution are pretty close to perfect. I get a much better detection and block rate (99%) on private servers than my Google account (80-90%). I occasionally get a clueless Exchange admin that wonders why their IP is on a block list but even then, the user gets the email encapsulated with a big warning and the admin gets a lesson in SMTP 101.
Email outsourcing companies have to play along (Score:2)
Email outsourcing companies don't seem to place much value on following rules like SPF and DMARC. A lot of the false positives we get in quarantine are from senders using email outsourcing or "relationship management" companies. After all, the company gets paid by their customer for sending the mail, and has no real accountability whether the customer's email is properly formatted and delivered.
And with large institutions (particularly universities) moving to outsource email and other IT services, this pr
gray listing works (Score:3)
it doesn't eliminate all, but it's cut my span significantly
Re:gray listing works (Score:5, Funny)
How big was your span originally?
Re: (Score:2)
Before is it was in the multiple of hundreds a day. Now in the multiple of tens a day
Re: (Score:2)
Only "funny" modded comment? A feeble joke on an obvious spelling error?
Sadness.
Re: (Score:3, Informative)
I've found greylisting to certainly cut down a lot. It's effectiveness as decreased over time as spammers switch to using proper mail servers instead of PHP or COM SMTP classes, but it still nails the bulk of spam.
This is only half the problem (Score:4, Insightful)
The majority of malware and spam come from botnet controlled accounts on valid domains. Most of the 419 spam originates at gmail. Not because gmail is worst, but it's because it's a trusted source of mail.
The reason I say this is not going to work is that you will get spam on any popular communication mechanism. Facebook gets quite a bit now, that's not email, and they control both the sender and the receiver, the spam could be zapped before you know about it, you're just seeing that which got through the filters from a sender that has not been reported.
Re: (Score:2)
You use free-email account systems for throw-away crap and as such any legitimate email service should be scoring emails from them lower.
Re: (Score:2)
That simply isn't the case. Countless numbers use gmail and outlook for their primary email as they use the biggest providers as they are unable to set their own up. This type of person would only add to the spam problem as they would be unlikely to maintain their private SMTP service.
Re: (Score:2)
I assume that a "legitimate email service" refers to the one provided by the same ISP that the user pays for routing messages to and from the Internet. For example, if you subscribe to Xfinity Internet at home, your "legitimate email service" has an address ending in @comcast.net.
Re: (Score:2)
For example, if you subscribe to Xfinity Internet at home, your "legitimate email service" has an address ending in @comcast.net.
Sadly ISPs don't let you take your email address when you switch provider, hence anyone who needs to remain in contact with people will have to use something independent, such as outlook or gmail. They could set their own up at cost of course and hope they don't forget to renew their own domain. The easiest and most natural solution is to use a free provider who has been in the business for decades.
Re: (Score:2)
I stated that email addresses from free-email accounts should never be trusted (and should be automatically scored worse by anti-spam systems) and that anyone that wants a trusted email account for their primary email address should pay for it on a non-free-email account domain.
You want to eliminate spam, you get people away from using free-email systems where the majority of spammers hide now.
Something must be done! This is something... (Score:1)
Therefor it must be done
Email is bullshit (Score:3)
There are a number of problems with email security that all feed back on themselves. One problem is that a shocking number of major corporations don't bother with these measures, making it pointless for anyone else to. If I set up SPF on my mail server, and a test email from none other than Google fails to arrive because their SPF records are wonky, so as a small two-bit operator I need to either disable all this nice security, or maintain an extensive whitelist for all the companies who don't do things properly. And SPF is trivial to implement compared to domainkeys.
And meanwhile, these same companies may block MY email for ridiculously arbitrary reasons. One time I had to troubleshoot why an email sent through my server didn't arrive, and it turned out that the recipient was using some kind of idiotic filter that insisted the EHLO have some kind of ridiculous format that has nothing to do with any security recommendation or in the RFC.
These wonderful doodads like DMARC are useless if nobody can be bothered to implement them, and really, why SHOULD people bother to implement them if nobody else does?
This requires everyone agreeing to work together to get this implemented, which basically guarantees that it never will.
Re: (Score:2)
Thank you for pointing out yet another example of how idiotic the whole thing is.
Email servers are the backbones of internet communication. Maybe todays JavaScript developers are happy to rip out and replace their frameworks on a monthly basis, but server administrators do not have that luxury.
Pick something that works, and leave it alone FFS.
DMARC works but is by providers for providers. (Score:3, Informative)
DMARC was created by PayPal in conjunction with Google, Microsoft and Yahoo! as a way to stop spam and, more importantly, phishing emails from _their_ domains. If you have DMARC setup properly on your MX you mostly likely have zero spam in your user's mailboxes from any domains owned by those companies and to that end, DMARC is 100% successful.
But the entire process is setup to validate the sender's domain, not the trustworthiness of that domain. As many have pointed out, as long as I setup the proper SPF and DKIM records for iamsp.am, DMARC is going to happily accept it. My servers implement DMARC but I still had to specifically blacklist care.com [care.com] because they were spamming us from properly validated servers (we had canceled our subscription and had all communications options turned off and they were still regularly sending us emails with no opt-out link claiming they were for "admin" purposes).
The one nice feature that DMARC does bring is that you have the option to get notifications from other MX's that use DMARC detailing what traffic they've received claiming to be from your domain and how that traffic scored. It assists in debugging setup problems and identifying servers trying to spoof your domain. We recently caught one server in Germany trying to send a lot of email as one of our domains (Google, Microsoft, and Yahoo all sent DMARC reports listing it). We contacted their ISP and it stopped a couple of days later. Being proactive about that helps keep your domain(s) off shared blacklists but it's a manual/proactive process and it's not going to catch everything.
eliminate privacy (Score:2)
Given that AI can catch 99.9% of spam [wired.com], the spam problem has largely been solved.
DMARC isn't even an anti-spam protocol, it's simply a protocol that prevents E-mail addresses from getting forged. But given the huge number of E-mail providers out there, spammers don't need to bother forging the source of E-mails. In addition, spammers can always corrupt and subvert domain registrars. So, DMARC is likely to be of negligible effectiveness compared to existing AI techniques.
DMARC and similar systems would mainly
DMARC and Jalad at Tanagra (Score:2)
Re: (Score:2)
Sokath, his eyes open!
DMARC and Jihad with V149R4 (Score:2)
Is there a geek card to turn in [slashdot.org]?
doesn't stop spam now, why would more be better (Score:2)
More paperwork isn't the solution.
Here's a thought (Score:1)
Why doesn't the U.K.'s National Crime Agency spend a crap ton of money prosecuting spammers off the face of the earth instead? Spam is a crime like any other. It has a source and it makes criminals money. Do something about that and stop wasting time and money on bandaid fixes that will never work.
If ISPs and big mail services like gmail "stopped" filtering spam then we'd all see just how bad the problem really is. Then, maybe, just maybe we'd all get collectively mad enough about it to send a message t
Except it won't (Score:2)
>"The spam problem would [...] probably almost go away, [...] if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors"
Except we can already deal with that type of spam using RBL and other methods. The majority of spam that remains is the worst kind- from businesses sending us endless marketing crap from legitimate domains, claiming we "opted in", which of course we did not. Every single place we interact with demands
This is a stupid idea (Score:2)
The only thing it will do is to increase the motivation of spamers to hack machines to send SPAM. Filtering works pretty well, use it.
No. Next question. (Score:2)
It's hard for me not to dismiss it as a troll article when it mentions "eliminate" and "spam" in the headline. The answer is "No, no, NO, you're NEVER going to eliminate every annoying email message that someone doesn't regard as spam."
Yeah, the article clarifies that it's really another reduction strategy, but I still feel the best one is to go after the spammers' business models. The most persistent and annoying spammers have business models, and as long as the business models keep working, then those spa
lets switch from capitalism to communism (Score:1)
capitalism requires people to make money to live and survive. to acquire their basic needs such as education, shelter, healthcare, and whatnot, and most never make enough to obtain these things entirely, you have to get money from somewhere. in this case spam generates enough revenue for many that they keep on doing it.
spam is not normally done as a cyber assault, but once people no longer were required to get money, perhaps the only 'spam' we'd be seeing was assault based, psychological warfare, and crimin
Arms Race (Score:2)
This has like many things like cracking DRM become an arms race between spammers and anti-spam technologies.
I run a small ISP that was established in 1995. Spam was non-existent when we started our company. Since then many anti-spam measures have been implemented. All are effective when deployed. They get less effective over time as spammer find ways around them.
Most of the spam that leaves our network results from infections people get on their computers. These send through our servers and leave with corre
Re: (Score:2)
Why not filter outgoing mail through Spamassassin? I've been doing that for many years, Postfix-Spamassassin-ClamAV with Postgrey is about as good as it gets, and since I don't want my servers puking spam and malware, I treat all messages with suspicion.
Old "why your spam solution does not work" letter (Score:2)
There is an old form used to evaluate anti-spam solutions, at https://craphound.com/spamsolu... [craphound.com]. It's a useful tool to evaluate spam solutions and can even be applied to various security software practices.
In this case, I see a number of issues.
( ) Users of email will not put up with it
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Open relays in foreign countries
( ) Huge existing software investment in SMTP
( ) Willingness of users to install OS patches received by em
Humans needed but there are some solutions (Score:2)
There are some things that will work.
A major provider carries email for a lot of people and can tell if mail is spam if
- the people have no intersecting interests
- they mostly receive it at the same time
- a number of users mark it as spam (nearly all users who regularly mark anything as spam)
Google is obviously doing this and some other for-pay providers too, is my guess. I'd pay for a way to be able to test my email headers against such a service without actually running my email through their servers.
Also
Re: (Score:1)
I work in a data recovery company. So one day we have this harddrive completely recovered and are filtering for the directories that need to be sent to the client and which ones are "not interesting". So we scan what's in there and find lots of images. Lots of PORN images. So we delete that sub directory (= mark as "do not send to client"). We go on to find some more porn delete that too and end up with nothing. Some research learned that our client was in the porn business. The images we found are the stu
Charge money to *RECEIVE* email. (Score:1)
Big companies still get it wrong. (Score:2)
Just a couple of weeks ago I asked my colleague if he got an Email I knew he was CC-ed on. "Nope didn't see it".
On inspection we found that the sending company had installed DKIM and SPF and set them to "don't warn, simply refuse the mail".
This was something like paypal or ebay where this came from. Sure, they have big infrastructure which is difficult to get right, but also they should have a big team capable of getting things right.....
it is difficult to get things right. Lots of stuff is being sent autom
Rolled out everywhere (Score:2)